Stuff

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Without JavaScript enabled, you might want to
use the classic discussion system instead. If you login, you can remember this preference.

I read the paper and I missed the quote about Slash security that the AC refers to. But, the paper does say the following:

So assuming a user actually changes his or her password, Slash 2.0 actually does a decent job of obfuscating it in a cookie with MD5 encryption. In terms of account lock out, the Slash distribution also includes a script to aid in IP address banning for suspicious brute-force behavior.